Azure Sentinel: Sending an Email Each Morning with the List of Daily Incidents Created

Overnight you may have noticed that our new SecurityIncident table was finally released out of preview. The data contained in this new table is part of a huge ask by customers. It gives Azure Sentinel analysts the ability to query against Security Incident data and generate Workbooks and reports based off the data. I've been … Continue reading Azure Sentinel: Sending an Email Each Morning with the List of Daily Incidents Created

Adding MBAM/Bitlocker Logs to Azure Sentinel

With the recent warning about a new vulnerability (CVE-2020-10713) that's being called BootHole, some customers may want to monitor the MBAM/Bitlocker logs, as there's no real protection against the flaw yet. And, in doing so, may also want to provide notifications through analysis - which is a perfect situation for Azure Sentinel. However, there's a … Continue reading Adding MBAM/Bitlocker Logs to Azure Sentinel

Building the Azure Sentinel Toolbox: Threat Analytics Search Browser Plug-in

There's an almost unlimited number of actions you can take utilizing Playbooks (Logic Apps) in Azure Sentinel. You can attach a Playbook to an Analytics Rule to automate reaction to an alert or you can run Playbooks manually inside the details of an Incident. For example, as part of my own Azure Sentinel investigations, I … Continue reading Building the Azure Sentinel Toolbox: Threat Analytics Search Browser Plug-in

Visualize Microsoft Forms results in Log Analytics

Suspicious Activity Report

I was recently assisting a group of students with a project for the Sentinel Hackathon. We came up with the idea to create alerts and dashboards based on Suspicious Activity Reports. The following example will demonstrate how Microsoft Forms responses can be sent to Log Analytics using a Logic App for further analysis. The solution … Continue reading Visualize Microsoft Forms results in Log Analytics

Azure Sentinel Incident Auto-refresh feature hits GA

It's the little things, right? It's the attention to detail that drives quality and consumption. That said, today the Auto-refresh feature for Azure Sentinel Incidents has hit the general availability milestone. Auto-refresh capability What does it do? Good question. Again, a very simple looking and sounding feature, but also a very powerful tool to use … Continue reading Azure Sentinel Incident Auto-refresh feature hits GA

Managing Disconnected Azure VMs for Azure Sentinel

For those that take the deeper security plunge for their Azure VMs and disconnect them from the Internet completely, did you know this will result in a bit of a challenge for being able to monitor security with Azure Sentinel? The Log Analytics agent requires an Internet connection to function, but by enabling a specific … Continue reading Managing Disconnected Azure VMs for Azure Sentinel

Modified IP Address to GEO to Tags Azure Sentinel Playbook

One of my favorite Playbooks is the one created by Nicholas DiCola that provides GEO information for IP Addresses that are associated with an Azure Sentinel Incident. Once the information is obtained, it's placed in the Incident's Tags for easy readability and quick-glance information about where the connections are coming from. I run this Playbook … Continue reading Modified IP Address to GEO to Tags Azure Sentinel Playbook

KQL to Help Identify Systems Patched for CVE-2020-1350

On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350

Visualizing Azure Sentinel Billable Data by Solution and Data Type

We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console. Monitor data ingestion and retention But, for those cost-conscious individuals who need more, here's a couple valuable KQL queries to better visualize data consumption. Billable data volume by data type Usage | where TimeGenerated > ago(32d) … Continue reading Visualizing Azure Sentinel Billable Data by Solution and Data Type

Locate all the Preview Goodies in Your Azure Sentinel Console

There's Preview items and Private Preview items (if you've joined the Private Preview program) in your Azure Sentinel console. You come across one or two periodically, but how do you locate all of them at once? Pretty simple to do, but often overlooked. In the Data Connectors, Analytics, or Hunting blades, just enter 'preview' in … Continue reading Locate all the Preview Goodies in Your Azure Sentinel Console